Medium severity6.5NVD Advisory· Published Feb 20, 2018· Updated Jun 17, 2026
CVE-2018-6356
CVE-2018-6356
Description
Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | < 2.89.4 | 2.89.4 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.90, < 2.107 | 2.107 |
Affected products
1Patches
Vulnerability mechanics
References
10- www.oracle.com/security-alerts/cpuapr2022.htmlnvdPatchThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2018/02/14/1nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-5p59-v5wm-77v4ghsaADVISORY
- jenkins.io/security/advisory/2018-02-14/nvdVendor Advisory
- nvd.nist.gov/vuln/detail/CVE-2018-6356ghsaADVISORY
- www.securityfocus.com/bid/103037nvdBroken LinkVDB Entry
- github.com/jenkinsci/jenkins/commit/9de62915807deab61d6e780eed660428f9889b51ghsaWEB
- github.com/jenkinsci/jenkins/commit/eb03a42078f29dbed3742b8740c95e02890e4545ghsaWEB
- jenkins.io/security/advisory/2018-02-14ghsaWEB
- web.archive.org/web/20200227130607/http://www.securityfocus.com/bid/103037ghsaWEB
News mentions
0No linked articles in our index yet.